Add SAS recommendations

Author: pauljewellmsft

articles/storage/blobs/storage-blob-dotnet-get-started.md

@@ -116,6 +116,9 @@ To learn more about generating and managing SAS tokens, see the following articl
 - [Create a user delegation SAS for a container with .NET](storage-blob-container-user-delegation-sas-create-dotnet.md)
 - [Create a user delegation SAS for a blob with .NET](storage-blob-user-delegation-sas-create-dotnet.md)
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key.
+
 ## [Account key](#tab/account-key)
 
 Create a [StorageSharedKeyCredential](/dotnet/api/azure.storage.storagesharedkeycredential) by using the storage account name and account key. Then use that object to initialize a [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient).

articles/storage/blobs/storage-blob-go-get-started.md

@@ -88,7 +88,7 @@ To use a shared access signature (SAS) token, append the token to the account UR
 :::code language="go" source="~/blob-devguide-go/cmd/client-auth/client_auth.go" id="snippet_get_service_client_SAS":::
 
 > [!NOTE]
-> A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft recommends using a user delegation SAS when possible. For more information, see [Grant limited access to data with shared access signatures (SAS)](../common/storage-sas-overview.md).
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. For more information, see [Grant limited access to data with shared access signatures (SAS)](../common/storage-sas-overview.md).
 
 ## [Account key](#tab/account-key)
 

articles/storage/blobs/storage-blob-java-get-started.md

@@ -160,6 +160,9 @@ To learn more about generating and managing SAS tokens, see the following articl
 - [Create a user delegation SAS for a container with Java](storage-blob-container-user-delegation-sas-create-java.md)
 - [Create a user delegation SAS for a blob with Java](storage-blob-user-delegation-sas-create-java.md)
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key.
+
 ## [Account key](#tab/account-key)
 
 Create a [StorageSharedKeyCredential](/java/api/com.azure.storage.common.storagesharedkeycredential) by using the storage account name and account key. Then use that object to initialize a [BlobServiceClient](/java/api/com.azure.storage.blob.blobserviceclient) object.

articles/storage/blobs/storage-blob-javascript-get-started.md

@@ -145,14 +145,16 @@ Depending on which tool you use to generate your SAS token, the querystring `?`
 
 :::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/connect-with-sas-token.js" highlight="13-16":::
 
-The `dotenv` package is used to read your storage account name and sas token from a `.env` file. This file should not be checked into source control.
+The `dotenv` package is used to read your storage account name and SAS token from a `.env` file. This file should not be checked into source control.
 
 To generate and manage SAS tokens, see any of these articles:
 
 - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json)
-
 - [Create a service SAS for a container or blob](sas-service-create.md)
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
+
 ---
 
 ## Create a ContainerClient object
@@ -183,6 +185,8 @@ Create the [ContainerClient](/javascript/api/@azure/storage-blob/containerclient
 
 :::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/create-container-client-with-sas-token.js" highlight="19, 24":::
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
 
 -----------------
 
@@ -221,6 +225,9 @@ List of Blob clients:
 
 :::code language="javascript" source="~/azure_storage-snippets/blobs/howto/JavaScript/NodeJS-v12/dev-guide/create-blob-client-with-sas-token.js" highlight="17, 36":::
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
+
 -----------------
 
 The `dotenv` package is used to read your storage account name from a `.env` file. This file should not be checked into source control.

articles/storage/blobs/storage-blob-python-get-started.md

@@ -151,6 +151,9 @@ To learn more about generating and managing SAS tokens, see the following articl
 - [Create a user delegation SAS for a container with Python](storage-blob-container-user-delegation-sas-create-python.md)
 - [Create a user delegation SAS for a blob with Python](storage-blob-user-delegation-sas-create-python.md)
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. 
+
 ## [Account key](#tab/account-key)
 
 To use a storage account shared key, provide the key as a string and initialize a [BlobServiceClient](/python/api/azure-storage-blob/azure.storage.blob.blobserviceclient) object.

articles/storage/blobs/storage-blob-typescript-get-started.md

@@ -144,14 +144,16 @@ Depending on which tool you use to generate your SAS token, the querystring `?`
 
 :::code language="typescript" source="~/azure_storage-snippets/blobs/howto/TypeScript/NodeJS-v12/dev-guide/src/auth-service-connect-from-sas-token.ts" :::
 
-The `dotenv` package is used to read your storage account name and sas token from a `.env` file. This file should not be checked into source control.
+The `dotenv` package is used to read your storage account name and SAS token from a `.env` file. This file should not be checked into source control.
 
 To generate and manage SAS tokens, see any of these articles:
 
 - [Grant limited access to Azure Storage resources using shared access signatures (SAS)](../common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json)
-
 - [Create a service SAS for a container or blob](sas-service-create.md)
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
+
 ---
 
 ## Create a ContainerClient object
@@ -183,6 +185,8 @@ Create the [ContainerClient](/javascript/api/@azure/storage-blob/containerclient
 
 :::code language="typescript" source="~/azure_storage-snippets/blobs/howto/TypeScript/NodeJS-v12/dev-guide/src/auth-container-client-from-sas-token.ts" :::
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
 
 -----------------
 
@@ -221,6 +225,9 @@ List of Blob clients:
 
 :::code language="typescript" source="~/azure-storage-snippets/blobs/howto/TypeScript/NodeJS-v12/dev-guide/src/auth-blob-client-from-blob-sas-token.ts":::
 
+> [!NOTE]
+> For scenarios where shared access signatures (SAS) are used, Microsoft recommends using a user delegation SAS. A user delegation SAS is secured with Microsoft Entra credentials instead of the account key. To learn more, see [Create a user delegation SAS with JavaScript](storage-blob-create-user-delegation-sas-javascript.md).
+
 -----------------
 
 The `dotenv` package is used to read your storage account name from a `.env` file. This file should not be checked into source control.